NOVICE HACKER INCITED BY HOSTING SITE

Last week, a first-time hacker took down what amounts to over one-fifth of the darknet. The target, Freedom Hosting II (FH2), is purportedly the single largest hosting provider for the darknet, accounting for over 10,000 individual domains - 10,613 to be exact. Hacktivist group Anonymous, who has since been linked to the hack, and the individual hacker himself, have explained the motivation behind this large scale takedown.

According to a statement displayed on each compromised .onion website, the reason behind the hack was ethics based - referring to and triggered by the published policy that once displayed on every FH2 homepage claiming to have a "zero tolerance policy" for nefarious content.

After the FH2 websites were compromised on Friday, Anonymous released a statement that replaced the standard policy-related message above. Visitors to any FH2 hosted website were instead greeted with the following:

Hello Freedom Hosting II, you have been hacked

We are disappointed… This is an excerpt from your front page ‘We have a zero tolerance policy to child pornography.’ — but what we found while searching through your server is more than 50% child porn…

Moreover you host many scam sites, some of which are evidently run by yourself to cover hosting expenses.

All your files have been copied and your database has been dumped. (74GB of files and 2.3GB of database)

The statement goes on to direct visitors as to where they can find the hacked data (including user email addresses, passwords and usernames).

Various news sources quickly picked up the large scale hack, including this initial report from The Verge. The resulting data dump has since been publicized and is being watched closely by cybersecurity activists worldwide.

COMPROMISED SITES NOW BEING REACTIVATED

DarkOwl Cybersecurity launched its own investigation by leveraging DARKINT; we pulled the compromised domains from Pastebin and directing the OWL Vision engine to crawl the each site repeatedly. DarkOwl Vision has been collecting the entire HTML content at a higher frequency than our typical daily scraping of the darknet.

Shadow Web, a FH2 hosted website that was taken down in Friday's attack, has now appeared back online.

Our DARKINT showed that the sites provided were indeed defaced with the “Freedom Hosting II – hacked” landing page as published in the reports.

However, as early as Sunday night, DarkOwl Cybersecurity analysts observed some of the hacked sites, such as Shadow Web (pictured), slowly coming back online.

FROM OUR ANALYSTS

Because of the complexity of the Tor relay routing system, it is difficult to determine whether the reactivated sites are reloads of the compromised domains hosted with FH2. It is equally possible that the owners of these sites have taken their source code to other darknet hosting servers and redirected the domains to point to the new (identical) sites. It is quite likely that the latter is the case, as user confidence has been significantly damaged.

A tweet from @haveibeenpwned, posted over the weekend, indicates that Anonymous also released roughly 381,000 email addresses via a MySQL database associated with the user accounts from the Freedom Hosting II breech.

Sources state that almost 21% of the 381,000 addresses were part of previous breaches registered in Have I Been Pwned?. This suggests that many of them are real, day-to-day email addresses and not simply “burner,” or disposable email addresses. Access to the site owner’s real email address gives Federal authorities the opportunity to track down and potentially prosecute individuals if they were involved in nefarious activities on the darknet.

The FH2 hack bears a striking resemblance to an October 2011 Anonymous campaign, dubbed "#opDarknet," in which the group took down Freedom Hosting I servers. Those servers were hosting over 100 GB of illegal content at the time; the operation resulted in the exposure of some 190 individuals involved in illegal activity.

Moving forward, we'll be keeping an eye on how the FH2 hack and subsequent data dump mirrors its predecessor, especially as more of these compromised websites resurface.